Scylla Imports Reconstruction

[Aguila]

OllyDbg 2 is here with improved Windows 7 support, so how about a new imports reconstructor tool?

ImpREC, CHimpREC, Imports Fixer... this are all great tools to rebuild an import table, but they all have some major disadvantages, so I decided to create my own tool for this job.

Scylla's key benefits are:

• x64 and x86 support
  
• full unicode support (probably some russian or chinese will like this :-) )
  
• written in C/C++
  
• plugin support
  
• works great with Windows 7
  

And the best: this tool will be open-source soon. First, I need to improve the code design.

Currently there are only 2 plugins (PECompact, PESpin x64) in this release, full sourcecode for both is included.

If you have something to constribute, please feel free to post it or contact me, some ideas:

• convert the plugin header to x86 and x64 assembly (I can't do it because I hate assembly coding )
  
• code an improved dump engine (e.g. dump by sections) with some GUI
  
• write some open-source plugin
  
• some nice GFX for the about dialog.
  
• add a feature you think is useful
  
• everything you may think is useful
  

This tool was designed to be used with Windows 7 x64, so it is recommend to use this operating system. But it may work with XP and Vista, too.

Scylla is still in some early development stage, there are probably some bugs.

Download introduction video: Unpacking PESpin x64

http://hotfile.com/d..._intro.rar.html

Download:
/>http://forum.tuts4you.com/topic/27127-scylla-imports-reconstruction/page__view__findpost__p__128302

Edited August 28, 2011 by Aguila

[LCF-AT]

@ Aguila

Nice idea. So test your tool a bit now and I see at first a bug to get all APIs of all dlls.So your tool does not recognizes a valid API and shows it as unvalid.

773AD2ED CreateStatusWindowW | COMCTL32.dll <-- Only API

So you can test it if you load the normal Notepad.exe

 01001000 >77DA6FC8  ADVAPI32.RegQueryValueExW
01001004 >77DA6BF0  ADVAPI32.RegCloseKey
01001008 >77DC8F7D  ADVAPI32.RegCreateKeyW
0100100C >77DCD5FD  ADVAPI32.IsTextUnicode
01001010 >77DA7883  ADVAPI32.RegQueryValueExA
01001014 >77DA761B  ADVAPI32.RegOpenKeyExA
01001018 >77DAD7CC  ADVAPI32.RegSetValueExW
0100101C  00000000
01001020 >773AD2ED  COMCTL32.CreateStatusWindowW
01001024  00000000
01001028 >77F05923  GDI32.EndPage
0100102C >77F23412  GDI32.AbortDoc

Just a quick info for you.Test was with win XP SP2.

greetz

EDIT: Try to add a internal refresh function.So I think your tool has the same problem like Olly sometimes with the API names there you have also to refresh to get the names for each API address.

Edited August 28, 2011 by LCF-AT

[quosego]

Nice.

Just something I noticed when giving it a test run it crashes when attaching to any deamon tools exe. They don't use the import protection of VMprotect and should not pose a problem.

Don't need it for that, but just attached it to some random apps I had running. Used the x86 version.

EDIT:

Seems to be a problem when walking:

CPU Stack Address   Value  	ASCII Comments
0018F250  /006826A0   &h   ; |Arg1 = UNICODE "C:\Program Files\DAEMON Tools Pro\ImgEngine.dll"

Edited August 28, 2011 by quosego

[Aguila]

@LCF-AT

Thanks for the bug report. I tried XP Sp3 notepad and it indeed fails, I don't know why yet. If I copy the notepad.exe to win 7 everything works fine. The COMCTL32.DLL is read from WinSxS folder, maybe there is some problem.

But I will fix it. Maybe you want to update to XP SP3 at least? Especially XP 64Bit has some serios API bugs.

@quosego

Thanks for the hint.This tool reads the export table from memory, the daemon tools software destroys the export table directory in memory somehow, so it fails...

Argh.. sorry the export table size in the pe header is wrong

EDIT:

Both bugs are fixed now. Thanks for your help.

It was really some WinSxS problem...

Tested it with Daemon tools lite, imports look valid.

Edited August 28, 2011 by Aguila

[Teddy Rogers]

I just took a quick peak and noticed plugin error. Possibly you can get x86 and x64 to ignore the alternate bit plugins on load or have them located in dedicated folders?

Ted.

[Aguila]

@Teddy

They should be ignored already. If I start Scylla_x64 I can only see the PESpin Plugin and with Scylla_x86 there appears the PECompact Plugin. How did you get this plugin error?

[cyberbob]

Impressive tool, but also a bit of sadness cause of PESpin plugin

[Aguila]

but also a bit of sadness cause of PESpin plugin

Oh sorry, I didn't know that the author of PESpin is regged here. Well, PESpin was a nice first target.

The api redirection is really nice and you still have the OEP redirection, so PESpin is still good to protect a file.

Edited August 29, 2011 by Aguila

[Teddy Rogers]

How did you get this plugin error?

I unpacked the archive and fired up the 32bit version. A message popped up saying one of the plugins had a bad image. I did not investigate or do anything else so I am making a presumption that is the cause of the error...

Ted.

[quosego]

@ Aguila

Jups tested it on the newest deamon tools pro and it seems to work fine now. Nice work.

I get the error on win7 as well.

Edited August 29, 2011 by quosego

[Killboy]

As for the error, I get it too on XP x86. Win7 doesn't show an error box here.

Simple fix:

To enable or disable error messages displayed by the loader during DLL loads, use the SetErrorMode function.

[Aguila]

I fixed this bug in the newest version 0.1b. I didn't think that windows will create some stupid error messages...

Edited August 29, 2011 by Aguila

[Killboy]

I fixed this bug in the newest version 0.1b. I didn't think that windows will create some stupid error messages...

That's an evil combination

[Teddy Rogers]

Please post all bug reports in the Scylla forum found here...

http://forum.tuts4yo...reconstruction/

...I will close this topic and leave pinned for a few days. Thank you...

Ted.